Hi Francois,
Thanks for the quick follow up, that makes sense. At this point I'm not
really doing anything obscure, just looking for best practices around
bringing office wifi into packetfence. At some point we will be
authenticating against AD but not just yet.
I think what threw me was that the Zen deployment guide seemed to have the
access point in the management vlan:
Switch
❏ IP: 10.0.10.2
❏ Type: Catalyst 2960
❏ Uplink: f0/24
❏ SNMP Read Community = public
❏ SNMP Write Community = private
❏ Radius Secret (802.1X/MAC Auth.) = s3cr3t
Access Point
❏ IP: 10.0.10.3
❏ Type: Aironet 1242
❏ Uplink: f0/0
❏ Telnet username : Cisco, password: Cisco
❏ Public (MAC Auth.) SSID = InverseGuest
❏ Secure (WPA2) SSID = InverseSecure
❏ Radius Secret (802.1X/MAC Auth.) = s3cr3t
VLAN: Management 10.0.10.0/24, Packetfence Address: 10.0.10.1
I'll put it in in-line as you suggested and encrypt with WPA/PSK for now.
Warm regards,
Stewart
On Tue, Dec 6, 2011 at 4:37 PM, Francois Gaudreault
<[email protected]>wrote:
> Hi Stewart,
>
> > If I run radtest (both locally on the server and from another IP which
> > is included in clients.conf) I now get a successful acknowledgement:
> >
> > rad_recv: Access-Accept packet from host 192.168.0.51 port 1812,
> > id=98, length=20
> >
> > The challenge is that the username and password included in the
> > connection string don't seem to have any impact at all:
> >
> > radtest demouser wrongpassword 192.168.0.51 10 testing123 {works}
> > radtest demouser correctpassword 192.168.0.51 10 testing123 {works}
> This is because you are sending PAP authentication to RADIUS. By
> default, everything that is not EAP will be allowed (have a look in the
> first line of the /etc/raddb/users) regardless of what you are sending.
>
> Now I don't know what you are trying to achieve, maybe you can add more
> details. Are you trying to do WPA2-Enterprise authentication? If it's
> the case, keep in mind that radtest is only able to do EAP-MD5, not
> PEAP. That will fail if you are trying to test with radtest, RADIUS is
> configured to do PEAP using our configuration package.
>
> >
> > I'm using the default Zen registration user and can successfully
> > register clients connected to the LAN via the inline interface (we're
> > testing in inline mode currently, no vlan enforcement).
> >
> > At the end of the day I'm attempting to register a wireless client via
> > a new WAP and although I get prompted for network credentials nothing
> > else happens.
> If you are using inline, you don't need to have security on the wireless
> side, you put the SSID straight into the inline VLAN, that's it. If you
> want encryption, use WPA/WPA2-PSK instead, it's much more easier to make
> it work than WPA2-Enterprise.
>
> Hope it helps.
>
> --
> Francois Gaudreault, ing. jr
> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Cloud Services Checklist: Pricing and Packaging Optimization
> This white paper is intended to serve as a reference, checklist and point
> of
> discussion for anyone considering optimizing the pricing and packaging
> model
> of a cloud services business. Read Now!
> http://www.accelacomm.com/jaw/sfnl/114/51491232/
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
